Tuesday, September 18, 2007

Vulnerability in Google’s XSSploding Gadgets

RSnake revealed a cross site scripting vulnerability affecting Google Gadgets in the gmodules.com domain.This XSS hole allows anybody to store his/her own web content, including JavaScript code, anywhere and to have it rendered and executed in the context of the gmodules.com domain, with no further validation of sort.

RSnake responsibly reported his finding to Google before resorting to public disclosure, but the G guys answered that this behavior is “by design” and won’t be fixed.

What does it mean?

For the average user, such a vulnerability means that phishers can effectively exploit a site owned by Google as a free hosting facility, making quite impractical blacklisting and/or shutting down the scam: don’t forget Firefox’s built-in anti-phishing blacklist is provided by Google itself.